How Royal and BlackSuit Ransomware Operated, and How You Can Stop Attacks Like Theirs

You might be familiar with Blacksuit, the successor to royal, who defrauded 450 victims of over $370m since mid 2023 via Ransomware. What you may not know of however is that, in July, US law enforcement pulled off Operation Checkmate, knocking out their dark-web sites. But if you’re a founder, COO, CTO or GRC lead without a security squad, what matters most is: how they worked, and what steps can you take today to keep your startup safe.

The Royal → BlackSuit Timeline and Operation Checkmate

Royal started in 2022, likely springing from ex-Conti members, using phishing, RDP compromise, RMM tools, living-off-the-land binaries, double extortion, and selective "intermittent" file encryption to go fast and stay under the radar.

By mid-2023 they members had split off as Blacksuit, which we know because they had nearly identical code (over 90 % similarity). BlackSuit retained Royal’s M.O., targeting healthcare, education, government, energy sectors in the US and beyond, compromising over 450 organizations, and demanding hundreds of millions in ransom.

Then came Operation Checkmate: in July 2025, US and international agencies (FBI, DOJ, DHS, Europol, and others) seized BlackSuit’s leak sites, negotiation portals and servers. Still, experts warn the core actors quickly rebrand, most likely as "Chaos", with similar tools and techniques.

Why Their M.O. Should Make You Take Notice, and What You Can Do

1. They got in via phishing, RDP flaws, and vishing

Royal and BlackSuit used callback phishing with remote-desktop malware, exploited RDP brute-force and RMM tools like AnyDesk or ScreenConnect.

Your move: Enforce multi-factor authentication on all access points. Only allow RDP or remote tools via VPN or zero-trust. Train teams on phishing and specifically voice-based scams.

2. They moved fast, encrypted selectively, and dropped double-extortion threats

Their intermittent encryption (e.g. only encrypt part of a file) helped avoid detection. Then they exfiltrated data and threatened to leak it if you didn’t pay.

Your move: Monitor for unusual file I/O and exfiltration, keep immutable backups, and practice a tabletop incident response plan. Know how to restore and have a leak-response plan.

3. They leaned on leak sites and negotiation portals (now seized)

The gang used Tor sites to communicate demands and publish stolen data, until seized by Operation Checkmate.

Your move: Understand that even if evidence disappears, attackers can regenerate infrastructure. Keep an updated threat intel feed and retain logs/data for forensic review.

What if this isn’t an option for my business?

This is an understandable idea, many start-ups simply can't spare the manpower for dedicated security infrastructure, or simply don’t have a firm grasp on the technical side of things.

At Steel FYI, We aim to solve this very issue. We provide affordable, fast, and pragmatic security support for businesses, like yours, who care about their and their customer’s safety.

Lot’s of what we’ve talked about here can be implemented on your own, and we strongly recommend doing so, but for the best support in all areas, contact us.

Closing Reflection

Ransomware likes unprepared targets. You don’t need a giant security team, just a secure mindset and a plan that grows with you. If you’d like a quick checklist or a workshop on ransomware playbooks built for lean teams, We’re ready when you are.

Let’s make sure your startup stays resilient, even when the threat resurfaces under a new name.